CYBERSECURITY SERIES: INSURANCE
Organisations can typically take steps to “lay off” cyber risk by a combination of the following:
- Take preventative mitigation measures – pre-event mitigation
- Lay off risk to third parties under contract – for example, making service providers liable for breaches due to the providers’ default (post event mitigation)
Lawyers can help primarily with second of these – i.e. making sure that contractual arrangements contain appropriate limitations of liability and counter-indemnities – this should be attractive to insurers since it should help reduce the insured’s liability/exposure and therefore the potential claim submitted to the insurer.
Cyber insurance is one of the fastest growing types of cybersecurity product. This is hardly surprising given that insurance has been reducing business risk in other sectors for nearly 700 years.
Why, when insurance is such a staple, has cyber insurance taken so long to gain a foothold?
- Insurers needed to collect enough data to understand the risk that they are insuring. Historically, businesses in the UK have had a limited obligation to report cybersecurity breaches. In the physical equivalents – burglaries, for example – they probably hold decades of data. Insuring a risk that they don't understand exposes them, so they’ve been cautious entering the marketplace.
- To be insured a business needs to show willing. Demonstrating the equivalent of having a strong enough lock on the door takes time and means that risk can't be insured unless it's been reduced first.
- Some costs of a cyber breach may not be insurable due to public policy reasons. For example, financial penalties may not be covered if the relevant legislation makes that illegal. In fact there are very few countries in the world where insuring against regulatory penalties or fines is allowed, and the UK is not one of them.
WHAT RISK DOES CYBER INSURANCE COVER?
There's two main types of cyber insurance – first and third party.
The types of first party risk businesses might be able to insure include the costs to the business of remediation after a breach, or the loss of income while the business recovers, or the cost of data restoration.
Third party cyber risk insurance often covers risks such as the cost of data breaches to a third party (for example, corporate customers or individuals), or of malware in the insured business' network causing a breach in a third party's system.
We’ve discussed this previously here.
WHAT DOES CYBER RISK INSURANCE NOT COVER
Not all polices are created equal – in fact, each product offers slightly different terms so it's hard to generalise. There are however some certainties...
Cyber insurance will never replace knowing how to do security. It's not an opportunity to abdicate responsibility for a difficult problem, it's an opportunity to manage residual risk (ie recognising that no cyber security system is 100% infallible because of the human element involved).
Why do I know this? Because the thing brokers are most frustrated by when talking about cyber insurance are the number of businesses who approach them, who when asked what risk they want to insure reply “Um... cyber?!”
It's possible, through certain suppliers, to get a basic cyber insurance package if a business can prove that they are Cyber Essentials compliant, so it's not always essential to employ holistic cyber security practices in a business. However, the majority of insurers will expect to have evidence of risk-based security decisions, and the implementation of both technical and human cyber security measures (policies and training as well as technology).
Cyber security best practices include businesses owning the problem, evaluating risk, implementing security and finally detecting, learning and adapting. Companies need to be extremely careful ensuring that the terms of their insurance match their cyber security capability, especially if they can't demonstrate an engagement with all phases of the security lifecycle. So cyber insurance can end up feeling like a catch-22 – businesses need to do some of the things they don't think they can afford to do, in order to get the insurance that they want to cover the risks that they cannot afford to reduce.
What about the risks that cyber insurance attempts to address? Transferring cyber security risk is challenging under any circumstances, not just because it's difficult to find cyber security requirements that both parties are able to agree upon before a risk is transferred, but because of how much of the damage is done by reducing the value of intangible assets such as reputation and goodwill. Although insurance provides a means to reduce the financial impact of damaging an intangible asset, unlike other security products the aim isn’t to reduce the risk of a breach itself.
Generally, the risk that is keeping business owners and decision makers awake at night is having to publicly notify their customers that they've made a mistake. When businesses transfer responsibility for cyber security risk to another organisation they don't fully transfer it for just that reason. Although there are some examples (such as SMEs using payment services like PayPal to avoid having to collect personal information) that allow businesses to completely transfer responsibility, most of the time we transfer a task that is still done in the name of the original organisation.
When we insure against burglary we're paying to not worry about losing possessions we might not be able to afford to replace. When we buy cyber insurance the insurer can’t alleviate the fear of a breach, because the concern comes from having to tell anyone it happened. However comprehensively an insurance company is willing to cover a breach, they can’t override any legal, contractual or ethical requirement to notify anyone else who might have been affected.
Insurers might pay out for first party losses such as incident response, support with the cost of public relations, or for the loss of income while systems are down. They might even pay out for legal defence costs against regulatory action or claims from individuals or corporate customers (although when this cover is triggered and when it pays out will differ). However, as mentioned above, it is highly unlikely they will cover regulatory penalties.
If a business doesn't believe it can survive the reputational damage of a large data breach then an insurance pay-out may only ensure that employees and creditors don't also suffer the consequences of the breach. Given the hundreds of millions of losses large businesses reportedly limp through, “too big to fail” definitely has its place in this conversation – small businesses are far less able to weather a breach, so those least able to afford to implement security measures also experience harsher consequences.
WHAT WORRIES THE WORLD AT LARGE ABOUT CYBER INSURANCE?
Currently cyber security is one of the top two risks in most larger businesses and a major concern in SMEs. That means that widespread cyber breaches have the power to leave massive dents in the economy. The more personal data that becomes public the harder it is for individuals to avoid identity theft and the easier social engineering becomes.
As mentioned above, perfect cyber security is impossible, so what security measures offer is an opportunity to increase the mean time between inevitable breaches. Cyber insurance offers to remove some of the financial risk to one stakeholder without reducing the broader reaching consequences of a breach.
It's worrying if someone sells a business a security panacea because it means they stop thinking about a problem while their adversaries evolve. It's even more worrying when that fix reduces risk without reducing the likelihood of a breach, because there's still a loss in the economy and harm to third parties.
The caution of the insurance industry and the high barrier to entry that they set for cyber insurance offsets the risk of replacing security with insurance... but this only works if businesses understand the standard that they are being held to by their policies.
Cyber insurance becomes a cyber security risk if businesses think that they're insured when they're not.
Cyber insurance has an important role to play in offsetting cyber security risk. However, the need to evaluate cyber risk and demonstrate a certain level of security to insurers, the motivation legislators have in including cyber security requirements and the ultimate survivability of a breach means it's never the first security investment to be made.
Insurance can't replace security. Reducing risk is a gradual process, where small changes can provide large gains. Insurance’s role is to carry the residual risk, once a business has done everything they can to make breaches happen less often. It's the measure to employ once there's no obvious low hanging fruit left to work on, not the easy option.
ABOUT OUR CYBERSECURITY SERIES
Clayden Law has teamed up with technical expert, Emma Osborn. and over the next few months we will provide some back-to-basics analysis of the technical, legal and data protection issues surrounding cybersecurity, aimed at organisations’ non-technical decision-makers. Together, we’ll be highlighting key cybersecurity and data privacy fundamentals and looking at the interplay between law and practice in this area. For more information, click here.
Please be aware that these notes have been compiled for general guidance only and should not be considered as specific legal or technical advice.
Piers Clayden, firstname.lastname@example.org
Solicitor & Director, ClaydenLaw
© ClaydenLaw 2018